I had a general question regarding the use of SHA1 and MD5 in the Drupal core code. Recently, I ran a static code scan of the Drupal 8.2.7 package and many "High" findings were identified in the scan. I understand that Drupal passwords are hashed using SHA512, but I want to understand why the obsolete functions of SHA1 and MD5 are littered throughout the Drupal core code?

Thanks in advance


Jaypan’s picture

Because someone thought they were a good idea to use in the places that they were used.

I know it's a ague answer, but with no specific examples, it's the only answer.

brian.j.galloway’s picture

That's fair Jaypan. We have many findings that found the use of SHA1 or MD5 so I kept it vague for that reason. Here is an example in case it is helpful.

Generator.php, line 845 (Weak Cryptographic Hash)

842 if ($className == '') {
843 do {
844 $className = $prefix . $type . '_' .
845 substr(md5(microtime()), 0, 8);
846 } while (class_exists($className, false));
847 }

Jaypan’s picture

That's just a random value generator, there isn't any necessity for security with that. It's just hashing the current time with md5(), then grabbing the first eight characters of the hash.

mmjvb’s picture

It is phpunit in the vendor folder. Anything in there is as is, it doesn't mean it is used in drupal core!

Jaypan’s picture

Oh, I didn't even notice that!